Red Tree Communications |

6 Things You Need to Do to Prevent Getting Hacked

summest — Tue, 10 May 2022 16:22:00 +0000

THERE ARE TWO big reasons why people get hacked. Flaws in software and flaws in human behavior. While there’s not much you can do about coding vulnerabilities, you can change your own behavior and bad habits.

Just ask former US president Donald Trump, whose Twitter password was “maga2020!” Or Boris Johnson, who revealed details of sensitive Zoom calls at the start of the pandemic in 2020. (These world leaders will have had specific security training from protection agencies too.)

The risks are just as real for the average person—even if the stakes aren’t quite so high. If your accounts aren’t properly protected, your credit card could be compromised or your private messages and photographs stolen and shared for all to see. Working out if your accounts have been hacked is a time-consuming and potentially frustrating process. You’re better off taking some steps to mitigate the risks of getting hacked in the first place. Here’s what you can do to protect yourself.

Use Multi-Factor Authentication

Arguably the most effective thing you can do to protect your online accounts is turning on multi-factor, or two-factor, authentication for as many of your accounts as possible. The method uses a secondary piece of information—often a code generated by an app or sent via SMS—alongside a password.

This secondary piece of information helps to prove it really is you trying to log in, as the codes are often accessed on the phone in your pocket. Even if you do have a password that’s easy to guess (we’ll get to that shortly), an attacker is unlikely to get access to an account with multi-factor authentication turned on unless they have your phone.

There’s a guide to all the accounts that support the method here, but in the first instance you should turn it on for all the accounts that hold personal information that could be abused. Like messaging apps such as WhatsApp, social media including Facebook, Instagram, and Twitter, and your email accounts.

Not all forms of multi-factor authentication are equal though. Code-generating apps are considered more secure than getting codes via SMS, and beyond that, physical security keys provide an even more robust layer of protection.

Get a Password Manager

Let’s talk about passwords. It’s 2021. You shouldn’t be using “password” or “12345” for any of your passwords—even if it’s a throwaway account.

All the passwords you use for your online accounts should be strong and unique. What this really means is they should be long, include a mixture of different character types, and not be used across multiple websites. Your Twitter password shouldn’t be the same as your online banking one; your home Wi-Fi network shouldn’t use the same credentials as your Amazon account.

The best way to do this is by using a password manager. Password managers create strong passwords for you and store them securely. If the fact that they can stop you getting hacked isn’t enough to make you consider using one, a password manager also means you never have to struggle to remember a forgotten password again.

From our testing of the best password managers out there, we recommend trying out LastPass or KeePass.Learn How to Spot a Phishing Attack

Quickly clicking can be your worst enemy. When a new email or text message arrives, and it includes something that can be tapped or clicked, our instincts often lead us to do it straight away. Don’t.

Hackers have used the pandemic as cover to launch wave after wave of phishing attacks and dumb Google Drive scams.

Anyone can fall for these types of scams. The main thing to do is to think before you click. Scam messages try to trick people into behaving in a way they wouldn’t normally—with, say, pretend instant demands from a boss or messages that say an urgent response is required.

There’s no foolproof way to identify every type of phishing effort or scam—scammers are constantly upping their game—but being aware of the threat can help reduce its effectiveness. Be cautious, think before you click, and download files only from people and sources you know and trust.

Update Everything

Every piece of technology you use—from the Facebook app on your phone to the operating system that controls your smart lightbulb—is open to attack. Thankfully, companies are always finding new bugs and fixing them. That’s why it’s crucial you download and update the latest versions of the apps and software you’re using.

Start with your phone. Navigate to your device settings and find out what operating system you’re using, and update it if you’re not on the latest version (iOS 14 is the latest for iPhones; Android 11 is the latest from Google). For apps and games, Apple’s iOS 13 and above downloads updates automatically, although these settings can be customized. On Android, auto-updates can also be turned on by visiting the settings page in the Google Play Store.

Once you’ve updated your phone, you need to work out what devices to update next. Generally these should be done in order of potential impact. Any laptops and computers you own should be high up the list, and then work back through other connected devices in your life. Remember: Everything is vulnerable, including your internet-connected chastity belt.

Encrypt Everything

Protecting your communications has never been easier. Over the last half-decade, companies handling our personal data—including the messages we send and the files we upload to the cloud —have realized that encryption can help them as well as their customers. Using encrypted services means that what you’re sending is better protected against surveillance and won’t be accessible if your device gets lost or stolen.

There are two main end-to-end encrypted messaging services, Signal and WhatsApp. Messages (including photos and videos) plus voice calls and video calls are encrypted by default within both apps. They both also let you use disappearing messages, which remove what you’ve sent after a set period of time. The practice can help keep your chats private, even from those that have access to your devices. Our advice is to use Signal where possible, as it collects less metadata than WhatsApp and isn’t owned by Facebook. But if you can’t get your friends to move to Signal, WhatsApp offers a lot more protection than apps that don’t use end-to-end encryption by default.

For your emails, encrypted provider ProtonMail can protect your messages, and there’s also the option to use burner email accounts for mailing lists and purchases where you don’t want to hand over your personal data.

Beyond your messages, encrypting the files on your devices can help reduce the chances of your data being compromised if you’re hacked or lose your devices. Both iPhone and iOS encrypt your hard drive by default. Just make sure you use a strong password or PIN for your devices. A little more effort is needed to encrypt the hard drive on your laptop or computer. Turn on Apple’s FileVault to encrypt your startup disk, and on Windows you can turn encryption on through the Settings menus or use BitLocker encryption.

Wipe Your Digital Footprint

The past can come back to haunt you. The old online accounts you no longer use and the login details that belong to them can be weaponized against you if you don’t do anything about them. Hackers frequently use details from previous data breaches to access the accounts people currently use.

Reducing the amount of information that’s available about your online life can help cut your risk of being hacked. A very simple step is to regularly delete your Google search history, but you can also use privacy-first Google alternatives.

Beyond this, there’s a lot more you can do to reduce your digital footprint. Find the old accounts you no longer use and delete them. It’ll reduce the amount of spam you get and reduce the number of ways hackers can target you. Use Have I Been Pwned? to find your information in old data breaches, use a VPN to boost browsing privacy, and download Tor if you really want to boost your online anonymity.

This story originally appeared on WIRED UK.

How to avoid ransomware attacks at work

summest — Wed, 14 Jul 2021 14:53:22 +0000

By Tatum Hunter, Washington Post, July 8, 2021|

When a security vulnerability at IT software-maker Kaseya led to a ransomware attack that affected 800 to 1,500 businesses, it wasn’t one employee’s fault.

But that’s not always the case.

Ransomware, which locks down a target’s computers and data, can infect a network a few different ways, including through employee accounts. Click the wrong link, open the wrong attachment or log into the wrong website, and you could put your company in a perilous position.

Depending on their roles, some employees find their inboxes flooded with hundreds of phishing emails designed to steal the recipient’s credentials, says Ryan Kalember, executive vice president of cybersecurity strategy at security firm Proofpoint. That requires constant attention, especially as ransomware attacks become more frequent and their demands more intense. The average ransomware payment has nearly tripled so far in 2021 compared to last year, with targets doling out about $850,000, according to a report by Palo Alto Networks.

“If you have a word like ‘accounts’ in your title, you will be attacked more,” Kalember says.

And that doesn’t mean others should let their guards down. Plenty of firms don’t have the resources to invest in frequent training, software upgrades and security systems — so employees become the first line of defense.

Luckily, conning people is an ancient art, and ransomware groups aren’t breaking new ground. Phishing emails aim for an emotional reaction, says Palo Alto Networks Deputy Director of Threat Intelligence Jen Miller-Osborn. These messages pull busy employees in with promises of money, important company secrets and even cute animals pictures.

Keep an eye out for these phishing red flags to avoid ransomware and cover your behind.

Here’s how employers can help individuals guard against phishing and ransomware:

Train employees to spot phishing attempts

Employees need frequent training to keep up with the evolving format and content of phishing emails. One study from a few German universities found employees’ ability to identify phishing attempts drops just six months after their initial training, and that video and interactive training courses are most effective.

Authenticate your corporate email domain.

This blocks the delivery of messages from fraudsters pretending to be a member of your organization. Check with your email service provider, like Microsoft Outlook or Google, to get started. You should also attach warnings to emails coming from external senders or containing links or attachments — both Outlook and Gmail offer this feature.

Clarify what employees should do if they click a suspicious link or attachment.

If people are afraid to report or don’t know how, they probably won’t do it. Make sure reporting procedures are outlined in your company’s security policy. Kalember recommended automated reporting, which lets employees report malicious email with the click of a button.

Leave room for human error.

Somebody is always going to open the phishing email promising adorable kitten pictures. So consider hedging your bets with anti-phishing technology like remote browsers, in which URLs open not in a traditional browser, but in a special environment in the cloud that disappears as soon as you’re done with it. That way, no matter what the URL contains, it can’t compromise the employee.

Conduct ongoing security testing.

Attackers use malicious files and compromised business email accounts to install ransomware on company computers and networks, but software vulnerabilities are another way in. Your company’s IT team — or a third party — should be actively looking for threats on your network.

What does bitcoin and other cryptocurrency have to do with the rise of ransomware?

summest — Sat, 20 Feb 2021 17:45:34 +0000

The rise of crypocurrencies like bitcoin has made it easy for cyber criminals to secretly receive payments extorted with this type of malware, without the risk of the authorities being able to identify the perpetrators.

The secure, untraceable method of making payments – victims are asked to make a payment to a bitcoin address – makes it the perfect currency for criminals who want their financial activities to remain hidden.

Cyber-criminal gangs are constantly becoming more professional – many even offer customer service and help for victims who don’t know how to acquire or send bitcoin, because what’s the point of making ransom demands if users don’t know how to pay? Some organisations have even hoarded some of the cryptocurrency in case they get infected or their files are encrypted and have to pay in bitcoin in a hurry.